Encryption key to mobile data security

Companies should enforce polices on the use of mobile devices and use data encryption as the cornerstone of a standard configuration to cut the risks to companies of lost or stolen devices, analysts have warned.

Legal liability over information found on misplaced machines, and the growing threat of virus attacks, are the main mobile menaces for managers.

In a report, Managing and Securing the Mobile Device, Michael Disabato, vice president and service director at analyst Burton Group, recommended data encryption as the mainstay of mobile security.

Remotely wiping data on lost machines is no guarantee that it has not already been compromised, according to the analyst.

"Even if recovery and erasure are considered as options, data should be encrypted to ensure it is protected," he said in the report.

The report also recommends a standard configuration for laptops including disk encryption, personal firewalls, virus scanners, spyware detectors and virtual private network (VPN) clients.

PDAs should also have content encrypted and use VPN clients, but the analyst warned that with mobile phones it was not cost-effective for firms to do anything than rely on physical security.

Disabato added that updates to virus software on laptops should occur automatically without requiring user intervention.

Mobile user policies, building on the standard secure configuration, should bear in mind that the weakest link in the security chain is the user.

"[Without] consistent, reasonable, enforceable policies the user will view security measures as an inconvenience rather than the protection they are," said the analyst.

A checklist for any mobile use policy should cover areas such as wireless local area networking, public hotspots, home networks, the corporate network, use of mobile phones, reporting theft or loss of devices.

It should also cover approved connections, authentication credentials and their use, and notification of HR and IT departments when staff leave the company.

Devices owned by the firm, or user devices that can access corporate networks, should both be covered.